IN GSM Notes

8/10/2019 IN GSM Notes

1/62

IN

Intelligent Network

Basic IN concept & technology

Some basic IN services


2/62

Intelligent Network (IN) Concept

The intelligent network concept:intelligence is takenout of exchanges and placed in computer nodes thatare distributed throughout the network.

Intelligence => access to various databases

This provides the network operator with the meansto develop and control servicesmore efficiently. Newcapabilities can be rapidly introduced into the

network. Once introduced, services are easilycustomized to meet individual customer's needs.


3/62

Intelligent Network (IN) Concept

Exchange

STP SCP

SSP

Service Control Point(a network element containing

the service logic, a database orregister)

Service Switching Point(enables service triggering in an

exchange)

MAP

INAPCAP

ISUP

Operator implements service logic (IN Service)


4/62


5/62

Typical call-related IN procedure (1)

SSP

Exchange

SCP

1.

2.

3.

4.

5.Exchange

1.Call routing proceeds up to Exchange

2.Trigger activated in Basic Call State Modelat SSP

3.SSP requests information from SCP (database)

4.SCP provides information

5.Call routing continues (routing to next exchange)based on information received from SCP


6/62

SSP

Exchange

SCP

1.

2.

3.

4.

5.Exchange

2.Trigger activated in Basic Call State Model at SSP

Typical triggers:

Called number (or part of number)Called user (destination) is busyCalled user does not answer in predefined time



7/62

SSP

Exchange1.

2.

3.

5.Exchange

Example: Number translation in SCP

SSP sends 800 number (0800 1234)

SCP translates into real number whichis used for routing the call(+358 9 1234567)

4.SCP provides information

SCP


translationmay be

based onseveral

variables

4.


8/62

Destination 1

SCP decides the destination of the call depending on the

calling time or date:

9.00 - 17.00 => Destination 117.00 - 9.00 => Destination 2

SCP

Examples of how SCP can affect call (1)

Destination 2

SSP

Exchange

Called number

Time or date


9/62

Destination 1


location of calling user:

Calling user in southern Finland => Destination 1Calling user in northern Finland => Destination 2

SCP


Destination 2

SSP

Exchange

Called number, Calling number


10/62

Destination 1


traffic load in the network:

Traffic load situation 1 => Destination 1Traffic load situation 2 => Destination 2

SCP


Destination 2

SSP

Exchange

Called number

Network load


11/62

Intelligent Peripheral (IP)can (a) send announcements

to the user (usually: calling user) and (b) receive DTMFdigitsfrom the user. IP is not a database; connection toexchange not via SS7, instead via digital TDM channels.

SCP

Additional IN features (1)

SSP

Exchange Exchange

IP


12/62

Typical applications:1) Whenever services need user interaction

2) User authentication

SCP

Additional IN features (2)

SSP

Exchange Exchange

IP


13/62

SCP

User interaction in IN service

SSP

Exchange Exchange

IP

1.

4.

2.

3.

1.SCP orders IP to select and send announcement

2.IP sends announcement to calling user

3.User replies by giving DTMF number(s) to IP

4.IP sends number information to SCP in a signallingmessage

Announcement:for this .. press 1,for that .. press 2


14/62

SCP

User authentication (1)

SSP

Exchange Exchange

IP

1.

4.

2.

3.

1.SCP orders IP to select and send announcement

2.IP sends announcement to calling user

3.User gives authentication code (in DTMF form) to IP

4.IP sends authentication code to SCP in a signallingmessage

Announcement:please press yourPIN code ...


15/62

SCP

User authentication (2)

SSP

Exchange

IP

1.

3.

2.

Display message:please press yourPIN code ...

When connected to the network via a digital

subscriber line, the calling user can benotified with a digital message (please pressyour PIN code ...) instead of having to usethe corresponding voice announcement.

1.


16/62

IN services

A large number of IN services can be implemented bycombining different building blocks:

Called number translation (at SCP)

Routing decision based on calling number,

time, date, called user busy, called useralerting timeout, network load ...

Announcements (from IP) or user notification(


17/62

IN service examples

Traditional IN services:

- Freephone / customised charging schemes

- Virtual Privat Network (VPN)

- Number portability

- Televoting

IN in mobile networks:

- Mobility management (HLR, VLR = databases)

- Security management (Authentication ...)- Additional IN services in mobile networks =>CAMEL (Customised Applications for Mobilenetworks Enhanced Logic)


18/62

Freephone (800) service

User calls 0800 76543. SSP sends this number to SCPwhich after number analysis sends back to SSP thereal destination address (09 1234567) and call can berouted to the destination. Called party is charged.

SSP

Exchange

SCP

1.

2.

3.

4.

5.Destination

Charging: Destination (service subscriber)pays the bill


19/62

Premium rate service

User calls 0200 34343. SSP sends this number to SCPwhich after number analysis sends back to SSP thereal destination address (09 676567) and call can berouted to the destination. Calling party is charged.

SSP

Exchange

SCP

1.

2.

3.

4.

5.Destination

Charging: Calling user (customer) pays the (usually ratherexpensive) bill. Both service subscriber and service provideror network operator make profit!


20/62

Virtual private network (VPN) service

A VPN provides corporate customers with a privatenumber plan within the PSTN. The customer dials aprivate (short) number instead of the complete publicnumber in order to contact another user within the VPN.User authentication is usually required.

SSP

Exchange

SCP

Destination

IPUser authentication

Number translation: 1212 => 09 1234567

Customised charging


21/62

Screening of incoming calls

This is an example of an IN service related to the calldestination end. Alert called user only if calling numberis 121212 or 234567, otherwise do something else (e.g.reject call or redirect call to another destination).

SSP

Exchange

SCP

Called user

Calling number = 121212 or 234567: AcceptAll other calling numbers: Reject or redirect

Local exchange of called user


22/62

VLR

Mobile terminated call (MTC)

By far the most important "IN service" is mobilitymanagement during a mobile terminated call (MTC),which means finding out under which exchange ormobile switching center (MSC) a mobile user isroaming, so that the call can be routed to this

exchange. More about this later.

GMSC

HLR

1.

2.

5.

6.

Serving MSC

3.

4.

7.


23/62

More about IN and IN services

The link www.iec.org/online/tutorials/in provides someexamples in Section 10 (AIN Service Creation Examples),for instance:

Exampleof servicecreation

template:


24/62


25/62

Cellular concept

A cellular network contains a large number of cellswitha base station(BS) at the center of each cell to whichmobile stations(MS) are connected during a call.

BS

BS

BS

BS

MS

If a connected MS(MS in call phase)moves between twocells, the call is notdropped.

Instead, the network

performs a handover(USA: handoff).


26/62

Mobility concept

A cellular network is divided into location areas (LA),each containing a certain number of cells.

As long as an idle MS(idle = switched on)moves within a locationarea, it can be reachedthrough paging.

If an idle MS moves betweentwo location areas, it cannot bereached before it performslocation updating.

Location Area 1

Location Area 3

LocationArea 2


27/62


28/62

Serving MSC

GSMBSS

3G

RAN PS core network

CS core network

GMSCMSC

VLR

HLR

AuC

EIR

PSTN

In

ternet

The serving mobile switchingcenter (MSC) is the mobilecounterpart to the localexchange in the PSTN.

This is the MSC that is currentlyserving a mobile user.


29/62

VLR

GSMBSS

3G

RAN PS core network

CS core network

GMSC

HLR

AuC

EIR

PSTN

In

ternet

The visitor location registerstores temporary informationon mobile users roaming in alocation area under thecontrol of the MSC/VLR.

MSC

VLR


30/62

Gateway MSC

GSMBSS

3G

RAN PS core network

CS core network

GMSC

HLR

AuC

EIR

PSTN

In

ternet

MSC

VLR

The gateway MSC (located in the homePLMN of a mobile user) is the first contactpoint in the mobile network when there isan incoming call to the mobile user.


31/62

HLR

GSMBSS

3G

RAN PS core network

CS core network

GMSC

HLR

AuC

EIR

PSTN

In

ternet

The home location registerstores information on mobileusers belonging to this mobilenetwork (e.g. subscription dataand present VLR under whichthe mobile user is roaming).

MSC

VLR


32/62

AuC

GSMBSS

3G

RAN PS core network

CS core network

GMSC

HLR

AuC

EIR

PSTN

In

ternet

The authentication center safelystores authentication keys (Ki)of mobile subscribers belongingto this mobile network.

MSC

VLR


33/62


34/62


35/62

CS core network

GSMBSS

3G

RAN PS core network

CS core network

GMSC

HLR

AuC

EIR

PSTN

In

ternet

MSC

VLRThe CS core network architecture isbasically the same in 2G (GSM) and 3G

mobile networks.

In North America, IS-MAP signalling isused instead of GSM-MAP signalling.

Europe: GSM core network

N. America: ANSI-41 core network


36/62


37/62

Range of functions

GSMBSSor3G

RAN

PS core network

CS core networkRRM

MM

CC

SM


38/62

Random access in a mobile network

Communication between MS and network is not possiblebefore going through a procedure called random access.

Random access must consequently be used in:

Network-originated activity

paging, e.g. for a mobile terminated call (MTC)

MS-originated activityIMSI attach, IMSI detatchGPRS attach, GPRS detachlocation updating

mobile originated call (MOC)SMS (short message service) message transfer

1


39/62

Random access in action (GSM)

1. MS sends a short access burst over the RandomAccess CHannel(RACH) in uplink using Slotted Aloha (incase of collision => retransmission after random time)

2. After detecting the access burst, the network returnsan immediate assignment message which includes the

following information:

- allocated physical channel (frequency, time slot) inwhich the assigned signalling channelis located

- timing advance (for correct time slot alignment)

3. The MS now sends a message on the dedicatedsignalling channel assigned by the network, indicatingthe reason for performing random access.

1


40/62

Multiplexing vs. multiple access

In downlink, multiplexing (e.g. TDM)

In uplink, multiple access (e.g. TDMA)

Multiple access is always associated with randomaccess. MS requests signalling channel, and networkdecides which channel (e.g. time slot) will be used.

Network decides channel

Network decides channel also in this case


41/62

1) PIN code (local authentication of handset=> local security measure, network is not involved)

2) Authentication (performed by network)

3) Ciphering of information sent over air interface

4) Usage of TMSI (instead of IMSI) over air interface

IMSI= International Mobile Subscriber Identity(globally uniqueidentity)

TMSI= Temporary Mobile Subscriber Identity(local and temporaryidentity)

Security measures in a mobile network


42/62

Algorithm Algorithm

The same? If yes,authentication is successful

SIM(in handset)

Airinterface

Network (algorithmrunning in AuC)

Random numberChallenge

Response

Authentication key Authentication key

RAND

SRESS

Ki Ki

Basic principle of authentication2

SRESA


43/62

Algorithm for calculating SRES runs within SIM (userside) and AuC (network side). The authentication key(Ki) is stored safely in SIM and AuC, and remains thereduring authentication.

The two SRES values are compared in the VLR.

Where does the algorithm run?2

AuCSIMVLR

Air interface

SRESS SRESA

RAND

Ki Ki


44/62

Using output and one or more inputs, it is in practicenot possible to calculate backwards other input(s),brute force approach, extensive search

Key length in bits (N) is important (in case of bruteforce approach 2Ncalculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea!Security through obscurity

Better: open algorithm can be tested by engineeringcommunity (security through strong algorithm)

Algorithm considerations2


45/62

HLR

MSC

VLR 1

Most recently allocated TMSI and last visited LAI (Location

Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitoredLAI values are the same, no location updating is needed.

(Most generic scenario, see van Bosse for details)

MSC

VLR 2

IMSI

LAI 1TMSI

LAI 1

IMSILAI 1

3

(in broadcast messages)

Case study: Location updating (1)

SIM

IMSITMSI


46/62

SIM

MSC

VLR 1

MS has moved from a cell belonging to VLR 1 to anothercell belonging to VLR 2.

MS notices that the LAI values are different => locationupdate is required!

MSC

VLR 2

LAI 2

HLR

(in broadcastmessages)

3 Location updating (2)

IMSILAI 1

IMSITMSI

IMSI

LAI 1TMSI


47/62

SIM

MSC

VLR 1

MSC

VLR 2

HLR


IMSILAI 1

SIM sends old LAI (i.e., LAI 1) and TMSI to VLR 2.

VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?

LAI 1, TMSI

No TMSI- IMSI context!

IMSITMSI

IMSI

LAI 1TMSI


48/62


49/62

SIM

MSC

VLR 1

MSC

VLR 2

HLR


IMSITMSI

Important:HLR must be updated (new LAI). If this is not

done, incoming calls can not be routed to new MSC/VLR.

HLR also requests VLR 1 to remove old user data.

IMSITMSI

IMSILAI 1LAI 2

LAI 2

IMSI

LAI 1TMSI


50/62

SIM

MSC

VLR 1

MSC

VLR 2

HLR


IMSILAI 2

VLR 2 generates new TMSI and sends this to user. User

stores new LAI and TMSI safely in SIM.

Location updating was successful!

IMSI

LAI 1TMSILAI 2TMSI

LAI 2TMSI

IMSITMSITMSI


51/62

Trade-off when choosing LA size

Affects signalling load

If LA size is very large(e.g. whole mobile network)

location updating not needed very oftenpaging load is very heavy

If LA size is very small(e.g. single cell)

small paging load

location updating must be done very often

High paging channel capacity required

+

+

3


52/62

Role of TMSI

MS NetworkRandom access

Authentication

Start ciphering

IMSI detach New TMSIallocated by

networkNew TMSI stored in SIM

CC or MM transaction

UsesTMSI

IMSI is not

sent over airinterface if

not absolutelynecessary!


53/62

Mobile network identifiers (1)

SNCCMSISDN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)SN = Subscriber Number

NDC=

Globallyuniquenumber

E.164 numberingformat

Mobile station ISDN (MSISDN) numbers are based on theITU-T E.164 numbering plan and can therefore be used forrouting a circuit-switched call.

When the calling (PSTN or PLMN) user dials an MSISDNnumber, the call is routed to the gateway MSC (GMSC)located in the home network of the called (mobile) user.


54/62


TNCCMSRN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number

NDC=

Temporarilyallocatednumber

E.164 numberingformat

Mobile station roaming numbers (MSRN) are also basedon the ITU-T E.164 numbering plan and can therefore beused for routing a circuit-switched call.

The MSRN is selected by the MSC/VLR serving the called(mobile) user, sent to the GMSC, and used for routing thecall from the GMSC to the serving MSC.


55/62


MSINMCCIMSI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)MSIN = Mobile Subscriber Identity Number

(10 digits)

MNC= E.212 numberingformat

The international mobile station identity (IMSI) is basedon the ITU-T E.212 numbering plan and cannot be usedfor routing a circuit-switched call (exchanges or switching

centers do not understand such numbers).

The IMSI is stored in the HLR and SIM of the mobile user.



56/62


LACMCCLAI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)LAC = Location Area Code (10 digits)

MNC= E.212 numberingformat

The location area identity (LAI) points to a location areabelonging to a certain MSC/VLR. This identity must bestored in the HLR so that mobile terminated calls can berouted to the correct serving MSC/VLR.


IMEI Serial number of handset (not SIM)


57/62

4 Case study: Mobile terminated call (1)

VLR

1. Using the MSISDN number (dialled by the callinguser located in the PSTN or the PLMN of anotheroperator) and standard SS7/ISUP signalling, thecall is routed to the GMSC in the home networkofthe called mobile user.

GMSC

HLR

1.

2.

4.

5.

Serving MSC

3.

4.

6.

(see van Bosse for details)


58/62

4 Mobile terminated call (2)

VLR

GMSC

HLR

1.

2.

4.

5.

Serving MSC

3.

4.

6.

2. The GMSC contacts the HLR of the called mobileuser. The SS7/MAP signalling message containsthe MSISDN number which points to the mobileuser record (containing IMSI, LAI where user isroaming, etc.) in the HLR database.


59/62


VLR

GMSC

HLR

1.

2.

4.

5.

Serving MSC

3.

4.

6.

3. Using global title translation (GTT), the HLRtranslates the IMSI and LAI information into thesignalling point code of the serving MSC/VLR.

The HLR sends SS7/MAP request Provide roaming

number (i.e. MSRN) to the VLR.


60/62


VLR

GMSC

HLR

1.

2.

4.

5.

Serving MSC

3.

4.

6.

4. The VLR selects a temporary MSRN. Note thatthere must be binding between MSRN and IMSI inthe VLR.

The VLR sends the MSRN to the GMSC (using

SS7/MAP signalling).

MSRN IMSI


61/62


VLR

GMSC

HLR

1.

2.

4.

5.

Serving MSC

3.

4.

6.

5. Using the MSRN number and standard SS7/ISUPsignalling, the call is routed to the serving MSC.

Although not shown in the figure, there may beintermediate switching centers (serving MSC/VLR

may be located at the other end of the world).


62/62

Documents

IN GSM Notes